Client devices using SNTP not working with NTP server options

Hi, Chris, and welcome to the UTM Community!

What do you learn from doing #1 in Rulz?

Cheers - Bob

Hi Bob

I couldn't locate any specific information in the logs, I searched before posting, hence why I asked if there was a specific log capturing the NTP request information.

I've been monitoring the live firewall, intrusion prevention and application control and I can't see anything related to NTP traffic.

You probably don't have an explicit firewall rule that silently drops NTP packets, so we can conclude that they aren't being dropped by the UTM.  On the 'Bandwidth Usage' tab of 'Logging & Reporting >> Network Usage', you can look at "Top clients by service" for NTP.  That will tell you if the UTM is receiving time requests from the phones.

Cheers - Bob

I have devices that use SNTP, and have no problems.

The only time I had an issue (which is a real face-palm moment) ...

you did add the network they are on into the allowed networks list?

Jason

Hi Jason

I have made sure they vlan is the allowed network list for NTP.

It was working until we went into Daylight saving time here in Australia. The client phones did not update (Other systems on the same network did). We have the phone vendor swearing black and blue that it's a network issue.

I'm just looking for conformation 1 way or the other.

To answer your original question, Chris, I can't imagine that a system capable of full NTP would not be able to do Simple NTP.

If this changed when you went on DST, then I bet the phones won't accept the new time because the time is so far off that they're reaching the wrong time server.  What do the phone people say about that?

Cheers - Bob

Hi Bob

The phone company is straight out blaming the sophos, it's my experience that they will do this until I can prove otherwise. I suspect it's a settings issue on the head sets. I will continue to work on it.

Thanks for the assistance.

A rule in firewall to allow sntp will be sufficient.

If DHCP of the phone is handled by Sophos, you have the option to give NTP IP too and im sure the phone will accept ntp instead of SNTP

BAlfson said:

You probably don't have an explicit firewall rule that silently drops NTP packets, so we can conclude that they aren't being dropped by the UTM.  On the 'Bandwidth Usage' tab of 'Logging & Reporting >> Network Usage', you can look at "Top clients by service" for NTP.  That will tell you if the UTM is receiving time requests from the phones.

Cheers - Bob

Looking at this thread and asking myself for the devices. So in the overview I got some traffic related to NTP:

And then, this:

Am I missing something?

Best
Alex

What about the "Top servers by service: NTP' selection, Alex?

Cheers - Bob

HI All,

there is a lot of good information here.

In my experience with SIP devices, out of the box they do come with pre-programmed time servers (Yealink have Chinese time servers, which I have blocked with country blocking). Also there is a setting on Yealink phones that allows for priority to be given to either DHCP (options) time servers or the programmed time servers.

Also seeing the top services does not mean that the rule is allowed, just that a device is trying to use that service.

I have found many articles out there stating that they are the same just that SNTP does not use the more advanced algorithms that NTP uses, e.g. drift.

please take a little time to read this page that I found;

http://www.galsys.co.uk/news/sntp-vs-ntp/

hope this helps

BAlfson said:

What about the "Top servers by service: NTP' selection, Alex?

Cheers - Bob

 

Unfortunately, no, Bob. Strange that these reports works with other services (LDAP, DOMAIN). So maybe it's time to bother the support with that [*-)]

Best
Alex

BAlfson said:

What about the "Top servers by service: NTP' selection, Alex?

Cheers - Bob

 

Unfortunately, no, Bob. Strange that these reports works with other services (LDAP, DOMAIN). So maybe it's time to bother the support with that [*-)]

Best
Alex